[Git][security-tracker-team/security-tracker][master] 3 commits: Drop bullseye entries for iotjs (removed)
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Aug 31 11:33:08 BST 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
15a529c9 by Salvatore Bonaccorso at 2024-08-31T10:33:52+02:00
Drop bullseye entries for iotjs (removed)
- - - - -
89946de1 by Salvatore Bonaccorso at 2024-08-31T12:24:22+02:00
Merge changes for updates with CVEs via bullseye 11.11
- - - - -
b78f33ab by Salvatore Bonaccorso at 2024-08-31T10:32:43+00:00
Merge branch 'bullseye-11.11' into 'master'
Merge changes accepted for bullseye 11.11 release
See merge request security-tracker-team/security-tracker!188
- - - - -
2 changed files:
- data/CVE/list
- data/next-oldstable-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3582,7 +3582,7 @@ CVE-2024-43378 (calamares-nixos-extensions provides Calamares branding and modul
CVE-2024-43370 (gettext.js is a GNU gettext port for node and the browser. There is a ...)
- gettext.js 0.7.0-4 (bug #1078880)
[bookworm] - gettext.js 0.7.0-2+deb11u1
- [bullseye] - gettext.js <no-dsa> (Minor issue; will be fixed in point release)
+ [bullseye] - gettext.js 0.7.0-2+deb11u1
NOTE: https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
NOTE: Fixed by: https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c (2.0.3)
CVE-2024-43369 (Ibexa RichText Field Type is a Field Type for supporting rich formatte ...)
@@ -4111,7 +4111,7 @@ CVE-2024-26022 (Improper access control in some Intel(R) UEFI Integrator Tools o
CVE-2024-25939 (Mirrored regions with different values in 3rd Generation Intel(R) Xeon ...)
- intel-microcode 3.20240813.1 (bug #1078742)
[bookworm] - intel-microcode 3.20240813.1~deb12u1
- [bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
+ [bullseye] - intel-microcode 3.20240813.1~deb11u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01118.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
CVE-2024-25576 (improper access control in firmware for some Intel(R) FPGA products be ...)
@@ -4129,7 +4129,7 @@ CVE-2024-24983 (Protection mechanism failure in firmware for some Intel(R) Ether
CVE-2024-24980 (Protection mechanism failure in some 3rd, 4th, and 5th Generation Inte ...)
- intel-microcode 3.20240813.1 (bug #1078742)
[bookworm] - intel-microcode 3.20240813.1~deb12u1
- [bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
+ [bullseye] - intel-microcode 3.20240813.1~deb11u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01100.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
CVE-2024-24977 (Uncontrolled search path for some Intel(R) License Manager for FLEXlm ...)
@@ -4139,7 +4139,7 @@ CVE-2024-24973 (Improper input validation for some Intel(R) Distribution for GDB
CVE-2024-24853 (Incorrect behavior order in transition between executive monitor and S ...)
- intel-microcode 3.20240813.1 (bug #1078742)
[bookworm] - intel-microcode 3.20240813.1~deb12u1
- [bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
+ [bullseye] - intel-microcode 3.20240813.1~deb11u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01083.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
CVE-2024-24580 (Improper conditions check in some Intel(R) Data Center GPU Max Series ...)
@@ -4219,7 +4219,7 @@ CVE-2023-43489 (Improper access control for some Intel(R) CIP software before ve
CVE-2023-42667 (Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cac ...)
- intel-microcode 3.20240813.1 (bug #1078742)
[bookworm] - intel-microcode 3.20240813.1~deb12u1
- [bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
+ [bullseye] - intel-microcode 3.20240813.1~deb11u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01038.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
CVE-2023-40067 (Unchecked return value in firmware for some Intel(R) CSME may allow an ...)
@@ -4598,7 +4598,7 @@ CVE-2023-31366 (Improper input validation in AMD \u03bcProf could allow an attac
CVE-2023-31356 (Incomplete system memory cleanup in SEV firmware could allow a privile ...)
- amd64-microcode 3.20240820.1
[bookworm] - amd64-microcode 3.20240820.1~deb12u1
- [bullseye] - amd64-microcode <no-dsa> (Minor issue)
+ [bullseye] - amd64-microcode 3.20240820.1~deb11u1
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html
NOTE: https://lore.kernel.org/all/20240820182655.42311-1-john.allen@amd.com/
CVE-2023-31349 (Incorrect default permissions in the AMD \u03bcProf installation direc ...)
@@ -5156,7 +5156,7 @@ CVE-2023-38018 (IBM Aspera Shares 1.10.0 PL2 does not invalidate session after a
CVE-2023-31315 (Improper validation in a model specific register (MSR) could allow a m ...)
- amd64-microcode 3.20240710.1
[bookworm] - amd64-microcode 3.20240710.2~deb12u1
- [bullseye] - amd64-microcode <no-dsa> (Will be updated in the point release)
+ [bullseye] - amd64-microcode 3.20240710.2~deb11u1
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
CVE-2024-41890 (Missing Release of Resource after Effective Lifetime vulnerability in ...)
NOT-FOR-US: Apache Answer
@@ -6101,13 +6101,13 @@ CVE-2024-7055 (A vulnerability was found in FFmpeg up to 7.0.1. It has been clas
CVE-2024-7009 (Unsanitized user-input in Calibre <= 7.15.0 allow users with permissio ...)
- calibre 7.16.0+ds-1
[bookworm] - calibre 6.13.0+repack-2+deb12u4
- [bullseye] - calibre <no-dsa> (Minor issue)
+ [bullseye] - calibre 5.12.0+dfsg-1+deb11u2
NOTE: https://starlabs.sg/advisories/24/24-7009/
NOTE: https://github.com/kovidgoyal/calibre/commit/d56574285e8859d3d715eb7829784ee74337b7d7 (v7.16.0)
CVE-2024-7008 (Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform ...)
- calibre 7.16.0+ds-1
[bookworm] - calibre 6.13.0+repack-2+deb12u4
- [bullseye] - calibre <no-dsa> (Minor issue)
+ [bullseye] - calibre 5.12.0+dfsg-1+deb11u2
NOTE: https://starlabs.sg/advisories/24/24-7008/
NOTE: https://github.com/kovidgoyal/calibre/commit/863abac24e7bc3e5ca0b3307362ff1953ba53fe0 (v7.16.0)
CVE-2024-6886 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
@@ -7159,7 +7159,7 @@ CVE-2024-37281 (An issue was discovered in Kibana where a user with Viewer role
CVE-2024-7264 (libcurl's ASN1 parser code has the `GTime2str()` function, used for pa ...)
- curl 8.9.1-1 (bug #1077656)
[bookworm] - curl 7.88.1-10+deb12u7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u13
NOTE: https://curl.se/docs/CVE-2024-7264.html
NOTE: Introduced by: https://github.com/curl/curl/commit/3a24cb7bc456366cbc3a03f7ab6d2576105a1f2d (curl-7_32_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519 (curl-8_9_1)
@@ -12190,10 +12190,10 @@ CVE-2024-6666 (The WP ERP plugin for WordPress is vulnerable to SQL Injection vi
CVE-2024-6655 (A flaw was found in the GTK library. Under certain conditions, it is p ...)
- gtk+3.0 3.24.43-1
[bookworm] - gtk+3.0 3.24.38-2~deb12u2
- [bullseye] - gtk+3.0 <no-dsa> (Minor issue)
+ [bullseye] - gtk+3.0 3.24.24-4+deb11u4
- gtk+2.0 2.24.33-5
[bookworm] - gtk+2.0 2.24.33-2+deb12u1
- [bullseye] - gtk+2.0 <no-dsa> (Minor issue)
+ [bullseye] - gtk+2.0 2.24.33-2+deb11u1
NOTE: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
CVE-2024-6664
REJECTED
@@ -14766,7 +14766,7 @@ CVE-2024-40898 (SSRF in Apache HTTP Server on Windows with mod_rewrite in server
CVE-2024-40725 (A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4 ...)
- apache2 2.4.62-1
[bookworm] - apache2 2.4.62-1~deb12u1
- [bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - apache2 2.4.62-1~deb11u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-40725
NOTE: Introduced due to fix for CVE-2024-39884 (this CVE was fixed in 2.4.60)
NOTE: Fixed by https://github.com/apache/httpd/commit/a7d24b4ea9a6ea35878fd33075365328caafcf91 (2.4.62)
@@ -19571,7 +19571,7 @@ CVE-2024-1495 (An issue has been discovered in GitLab CE/EE affecting all versio
CVE-2023-52890 (NTFS-3G before 75dcdc2 has a use-after-free in ntfs_uppercase_mbs in l ...)
- ntfs-3g 1:2022.10.3-3 (bug #1073248)
[bookworm] - ntfs-3g <no-dsa> (Minor issue)
- [bullseye] - ntfs-3g <no-dsa> (Minor issue)
+ [bullseye] - ntfs-3g 1:2017.3.23AR.3-4+deb11u4
[buster] - ntfs-3g <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/tuxera/ntfs-3g/issues/84
NOTE: Fixed by: https://github.com/tuxera/ntfs-3g/commit/75dcdc2cf37478fad6c0e3427403d198b554951d
@@ -20288,7 +20288,7 @@ CVE-2024-35235 (OpenPrinting CUPS is an open source printing system for Linux an
{DLA-3826-1}
- cups 2.4.7-2 (bug #1073002)
[bookworm] - cups 2.4.2-3+deb12u6
- [bullseye] - cups <no-dsa> (Minor issue)
+ [bullseye] - cups 2.3.3op2-3+deb11u7
NOTE: https://www.openwall.com/lists/oss-security/2024/06/11/1
NOTE: Fixed by: https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2
CVE-2024-5530 (The ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +1 ...)
@@ -25002,7 +25002,7 @@ CVE-2024-2036 (The ApplyOnline \u2013 Application Form Builder and Manager plugi
CVE-2024-29421 (xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer Overflow ...)
- xmedcon 0.24.0-gtk3+dfsg-1 (bug #1077369)
[bookworm] - xmedcon 0.23.0-gtk3+dfsg-1+deb12u1
- [bullseye] - xmedcon <no-dsa> (Minor issue)
+ [bullseye] - xmedcon 0.16.3+dfsg-1+deb11u1
NOTE: https://github.com/SpikeReply/advisories/blob/530dbd7ce68600a22c47dd1bcbe360220feda1d9/cve/xmedcon/cve-2024-29421.md
CVE-2024-29392 (Silverpeas Core 6.3 is vulnerable to Cross Site Scripting (XSS) via Cl ...)
NOT-FOR-US: Silverpeas Core
@@ -37350,22 +37350,18 @@ CVE-2024-33263 (QuickJS commit 3b45d15 was discovered to contain an Assertion Fa
NOTE: https://github.com/bellard/quickjs/issues/277
CVE-2024-33260 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5133
CVE-2024-33259 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5132
CVE-2024-33258 (Jerryscript commit ff9ff8f was discovered to contain a segmentation vi ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5114
CVE-2024-33255 (Jerryscript commit cefd391 was discovered to contain an Assertion Fail ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5135
CVE-2024-32957 (Missing Authorization vulnerability in Live Composer Team Page Builder ...)
@@ -37522,7 +37518,7 @@ CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer r
CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...)
- cjson 1.7.18-1 (bug #1071742)
[bookworm] - cjson <no-dsa> (Minor issue)
- [bullseye] - cjson <no-dsa> (Minor issue)
+ [bullseye] - cjson 1.7.14-1+deb11u1
[buster] - cjson <postponed> (Sefault only; can be piggy-backed with future DLAs)
NOTE: https://github.com/DaveGamble/cJSON/issues/839
NOTE: https://github.com/DaveGamble/cJSON/pull/840
@@ -40728,7 +40724,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener
{DLA-3839-1}
- putty 0.81-1
[bookworm] - putty 0.78-2+deb12u2
- [bullseye] - putty <no-dsa> (Minor issue)
+ [bullseye] - putty 0.74-1+deb11u2
- filezilla 3.67.0-1
[bookworm] - filezilla <no-dsa> (Minor issue)
[bullseye] - filezilla <no-dsa> (Minor issue)
@@ -46416,7 +46412,6 @@ CVE-2024-29640 (An issue in aliyundrive-webdav v.2.3.3 and before allows a remot
NOT-FOR-US: aliyundrive-webdav
CVE-2024-29489 (Jerryscript 2.4.0 has SEGV at ./jerry-core/ecma/base/ecma-helpers.c:23 ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5101
NOTE: https://github.com/jerryscript-project/jerryscript/pull/5129
@@ -48617,7 +48612,7 @@ CVE-2024-2494 (A flaw was found in the RPC library APIs of libvirt. The RPC serv
{DLA-3778-1}
- libvirt 10.2.0-1 (bug #1067461)
[bookworm] - libvirt 9.0.0-4+deb12u1
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2270115
NOTE: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/BKRQXPLPC6B7FLHJXSBQYW7HNDEBW6RJ/
NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2 (v10.2.0-rc1)
@@ -51873,13 +51868,13 @@ CVE-2024-2496 (A NULL pointer dereference flaw was found in the udevConnectListA
{DLA-3778-1}
- libvirt 9.8.0-1
[bookworm] - libvirt 9.0.0-4+deb12u1
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/2ca94317ac642a70921947150ced8acc674ccdc8 (v9.8.0-rc1)
CVE-2024-1441 (An off-by-one error flaw was found in the udevListInterfacesByStatus() ...)
{DLA-3778-1}
- libvirt 10.1.0-1 (bug #1066058)
[bookworm] - libvirt 9.0.0-4+deb12u1
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca (v1.0.0-rc1)
NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15 (v5.10.0-rc1)
NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8 (v10.1.0)
@@ -62349,6 +62344,7 @@ CVE-2024-0914 (A timing side-channel vulnerability has been discovered in the op
CVE-2024-0911 (A flaw was found in indent, a program for formatting C code. This issu ...)
- indent 2.2.13-4 (unimportant; bug #1061543)
[bookworm] - indent 2.2.12-4+deb12u3
+ [bullseye] - indent 2.2.12-1+deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259883
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2260399
NOTE: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
@@ -62484,14 +62480,14 @@ CVE-2023-40551 (A flaw was found in the MZ binary format in Shim. An out-of-boun
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
[bookworm] - shim 15.8-1~deb12u1
- [bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bullseye] - shim 15.8-1~deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259918
NOTE: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab (15.8)
CVE-2023-40550 (An out-of-bounds read flaw was found in Shim when it tried to validate ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
[bookworm] - shim 15.8-1~deb12u1
- [bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bullseye] - shim 15.8-1~deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259915
NOTE: https://github.com/rhboot/shim/commit/93ce2552f3e9f71f888a672913bfc0eef255c56d (15.8)
NOTE: Followup: https://github.com/rhboot/shim/commit/e7f5fdf53ee68025f3ef2688e2f27ccb0082db83 (15.8)
@@ -62499,28 +62495,28 @@ CVE-2023-40549 (An out-of-bounds read flaw was found in Shim due to the lack of
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
[bookworm] - shim 15.8-1~deb12u1
- [bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bullseye] - shim 15.8-1~deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241797
NOTE: https://github.com/rhboot/shim/commit/afdc5039de0a4a3a40162a32daa070f94a883f09 (15.8)
CVE-2023-40548 (A buffer overflow was found in Shim in the 32-bit system. The overflow ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
[bookworm] - shim 15.8-1~deb12u1
- [bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bullseye] - shim 15.8-1~deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241782
NOTE: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8 (15.8)
CVE-2023-40547 (A remote code execution vulnerability was found in Shim. The Shim boot ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
[bookworm] - shim 15.8-1~deb12u1
- [bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bullseye] - shim 15.8-1~deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2234589
NOTE: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d (15.8)
CVE-2023-40546 (A flaw was found in Shim when an error happened while creating a new E ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
[bookworm] - shim 15.8-1~deb12u1
- [bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bullseye] - shim 15.8-1~deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241796
NOTE: https://github.com/rhboot/shim/commit/66e6579dbf921152f647a0c16da1d3b2f40861ca (15.8)
NOTE: https://github.com/rhboot/shim/commit/dae82f6bd72cf600e5d48046ec674a441d0f49d7 (15.8)
@@ -70517,6 +70513,7 @@ CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection vulnerabil
CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...)
- cjson 1.7.17-1 (unimportant; bug #1059287)
[bookworm] - cjson 1.7.15-1+deb12u1
+ [bullseye] - cjson 1.7.14-1+deb11u1
[buster] - cjson <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/DaveGamble/cJSON/issues/803
NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
@@ -70525,7 +70522,7 @@ CVE-2023-50471 (cJSON v1.7.16 was discovered to contain a segmentation violation
{DLA-3700-1}
- cjson 1.7.17-1 (bug #1059287)
[bookworm] - cjson 1.7.15-1+deb12u1
- [bullseye] - cjson <no-dsa> (Minor issue)
+ [bullseye] - cjson 1.7.14-1+deb11u1
NOTE: https://github.com/DaveGamble/cJSON/issues/802
NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
CVE-2023-50371 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -74366,7 +74363,7 @@ CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was cha
CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...)
- glewlwyd 2.7.6+ds-1
[bookworm] - glewlwyd 2.7.5-3+deb12u1
- [bullseye] - glewlwyd <no-dsa> (Minor issue)
+ [bullseye] - glewlwyd 2.5.2-2+deb11u3
[buster] - glewlwyd <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812 (v2.7.6)
NOTE: Introduced by: https://github.com/babelouest/glewlwyd/commit/13265133e8287f246f2feecb24449179d20c9f0e (v2.0.0b1)
@@ -85465,7 +85462,6 @@ CVE-2023-36234 (Cross Site Scripting (XSS) vulnerability in Netbox 3.5.1, allows
- netbox <itp> (bug #1017079)
CVE-2023-36109 (Buffer Overflow vulnerability in JerryScript version 3.0, allows remot ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5080
CVE-2023-34575 (SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 ...)
@@ -89920,7 +89916,6 @@ CVE-2023-38976 (An issue in weaviate v.1.20.0 allows a remote attacker to cause
NOT-FOR-US: weaviate
CVE-2023-38961 (Buffer Overflwo vulnerability in JerryScript Project jerryscript v.3.0 ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5092
CVE-2023-38899 (SQL injection vulnerability in berkaygediz O_Blog v.1.0 allows a local ...)
@@ -90730,7 +90725,7 @@ CVE-2023-39950 (efibootguard is a simple UEFI boot loader with support for safel
CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in ...)
- indent 2.2.13-3 (bug #1049366)
[bookworm] - indent 2.2.12-4+deb12u2
- [bullseye] - indent <no-dsa> (Minor issue)
+ [bullseye] - indent 2.2.12-1+deb11u1
[buster] - indent <no-dsa> (Minor issue)
NOTE: https://savannah.gnu.org/bugs/index.php?64503
CVE-2023-40303 (GNU inetutils before 2.5 may allow privilege escalation because of unc ...)
@@ -96113,7 +96108,6 @@ CVE-2023-36256 (The Online Examination System Project 1.0 version is vulnerable
NOT-FOR-US: Online Examination System Project
CVE-2023-36201 (An issue in JerryscriptProject jerryscript v.3.0.0 allows an attacker ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026
CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP ...)
@@ -98517,12 +98511,10 @@ CVE-2023-34878 (An issue was discovered in Ujcms v6.0.2 allows attackers to gain
NOT-FOR-US: Ujcms
CVE-2023-34868 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertio ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5083
CVE-2023-34867 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertio ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5084
CVE-2023-34865 (Directory traversal vulnerability in ujcms 6.0.2 allows attackers to m ...)
@@ -101910,32 +101902,26 @@ CVE-2023-31921 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an As
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5068
CVE-2023-31920 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertio ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5070
CVE-2023-31919 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertio ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5069
CVE-2023-31918 (Jerryscript 3.0 (commit 1a2c047) was discovered to contain an Assertio ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5064
CVE-2023-31916 (Jerryscript 3.0 (commit 1a2c047) was discovered to contain an Assertio ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5062
CVE-2023-31914 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain out-of-memo ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5071
CVE-2023-31913 (Jerryscript 3.0 *commit 1a2c047) was discovered to contain an Assertio ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5061
CVE-2023-2682 (A vulnerability was found in Caton Live up to 2023-04-26 and classifie ...)
@@ -102141,22 +102127,18 @@ CVE-2023-32070 (XWiki Platform is a generic wiki platform. Prior to version 14.6
NOT-FOR-US: XWiki
CVE-2023-31910 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain a heap-buff ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5076
CVE-2023-31908 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain a heap-buff ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5067
CVE-2023-31907 (Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5073
CVE-2023-31906 (Jerryscript 3.0.0(commit 1a2c047) was discovered to contain a heap-buf ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5066
CVE-2023-31568 (Podofo v0.10.0 was discovered to contain a heap buffer overflow via th ...)
@@ -105782,7 +105764,6 @@ CVE-2023-30415 (Sourcecodester Packers and Movers Management System v1.0 was dis
NOT-FOR-US: Sourcecodester Packers and Movers Management System
CVE-2023-30414 (Jerryscript commit 1a2c047 was discovered to contain a stack overflow ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5051
CVE-2023-30413
@@ -105793,21 +105774,18 @@ CVE-2023-30411
RESERVED
CVE-2023-30410 (Jerryscript commit 1a2c047 was discovered to contain a stack overflow ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5052
CVE-2023-30409
RESERVED
CVE-2023-30408 (Jerryscript commit 1a2c047 was discovered to contain a segmentation vi ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5057
CVE-2023-30407
RESERVED
CVE-2023-30406 (Jerryscript commit 1a2c047 was discovered to contain a segmentation vi ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5058
CVE-2023-30405 (A cross-site scripting (XSS) vulnerability in Aigital Wireless-N Repea ...)
@@ -111077,7 +111055,7 @@ CVE-2023-28643 (Nextcloud server is an open source home cloud implementation. In
CVE-2023-28642 (runc is a CLI tool for spawning and running containers according to th ...)
{DLA-3369-1}
- runc 1.1.5+ds1-1
- [bullseye] - runc <no-dsa> (Minor issue)
+ [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u5
NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
NOTE: https://github.com/opencontainers/runc/pull/3785
NOTE: same fix as CVE-2023-27561
@@ -119605,7 +119583,7 @@ CVE-2023-25810 (Uptime Kuma is a self-hosted monitoring tool. In versions prior
NOT-FOR-US: Uptime Kuma
CVE-2023-25809 (runc is a CLI tool for spawning and running containers according to th ...)
- runc 1.1.5+ds1-1
- [bullseye] - runc <no-dsa> (Minor issue)
+ [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u4
[buster] - runc <not-affected> (Vulnerable code not present)
NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
NOTE: https://github.com/opencontainers/runc/commit/0e6b818a2b0d24fdb6697614e5c5f115bbe8e3a5 (v1.1.5)
@@ -146703,7 +146681,7 @@ CVE-2023-20585
CVE-2023-20584 (IOMMU improperly handles certain special address ranges with invalid d ...)
- amd64-microcode 3.20240820.1
[bookworm] - amd64-microcode 3.20240820.1~deb12u1
- [bullseye] - amd64-microcode <no-dsa> (Minor issue)
+ [bullseye] - amd64-microcode 3.20240820.1~deb11u1
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html
NOTE: https://lore.kernel.org/all/20240820182655.42311-1-john.allen@amd.com/
CVE-2023-20583 (A potential power side-channel vulnerability in AMD processors may all ...)
@@ -160275,7 +160253,7 @@ CVE-2022-39370 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is
CVE-2022-39369 (phpCAS is an authentication library that allows PHP applications to ea ...)
{DLA-3485-1}
- php-cas 1.6.0-1 (bug #1023571)
- [bullseye] - php-cas <no-dsa> (Will be fixed via a point release)
+ [bullseye] - php-cas 1.3.8-1+deb11u1
NOTE: https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64
NOTE: Fixed by: https://github.com/apereo/phpCAS/commit/b759361d904a2cb2a3bcee9411fc348cfde5d163 (1.6.0)
CVE-2022-39368 (Eclipse Californium is a Java implementation of RFC7252 - Constrained ...)
@@ -169412,13 +169390,13 @@ CVE-2022-36181
CVE-2022-36180 (Fusiondirectory 1.3 is vulnerable to Cross Site Scripting (XSS) via /f ...)
{DLA-3487-1}
- fusiondirectory <removed>
- [bullseye] - fusiondirectory <no-dsa> (Minor issue)
+ [bullseye] - fusiondirectory 1.3-4+deb11u1
NOTE: https://yoroi.company/research/cve-advisory-full-disclosure-multiple-vulnerabilities/
NOTE: https://github.com/fusiondirectory/fusiondirectory/commit/fadebb79b932a0260bdb8723eb23694a3ae62366 (fusiondirectory-1.3.1)
CVE-2022-36179 (Fusiondirectory 1.3 suffers from Improper Session Handling.)
{DLA-3487-1}
- fusiondirectory <removed>
- [bullseye] - fusiondirectory <no-dsa> (Minor issue)
+ [bullseye] - fusiondirectory 1.3-4+deb11u1
NOTE: https://yoroi.company/research/cve-advisory-full-disclosure-multiple-vulnerabilities/
NOTE: https://github.com/fusiondirectory/fusiondirectory/commit/d84cf05573b52df98418adf3716daf365e8da745 (fusiondirectory-1.3.1)
CVE-2022-36178
@@ -187015,7 +186993,7 @@ CVE-2022-1544 (Formula Injection/CSV Injection due to Improper Neutralization of
NOT-FOR-US: yii-helpers
CVE-2022-29967 (static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6. ...)
- glewlwyd 2.7.0-1
- [bullseye] - glewlwyd <no-dsa> (Minor issue)
+ [bullseye] - glewlwyd 2.5.2-2+deb11u3
[buster] - glewlwyd <no-dsa> (Minor issue)
NOTE: https://github.com/babelouest/glewlwyd/commit/e3f7245c33897bf9b3a75acfcdb8b7b93974bf11
CVE-2022-29966
@@ -195167,7 +195145,7 @@ CVE-2022-1020 (The Product Table for WooCommerce (wooproducttable) WordPress plu
NOT-FOR-US: WordPress plugin
CVE-2022-27240 (scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer ...)
- glewlwyd 2.6.1-2
- [bullseye] - glewlwyd <no-dsa> (Minor issue)
+ [bullseye] - glewlwyd 2.5.2-2+deb11u3
[buster] - glewlwyd <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/babelouest/glewlwyd/commit/4c5597c155bfbaf6491cf6b83479d241ae66940a (v2.6.2)
NOTE: Introduced by: https://github.com/babelouest/glewlwyd/commit/e5007f6e102f1260a9562654c4e88f1c6de12c02 (v2.0.0-b1)
@@ -196616,7 +196594,7 @@ CVE-2022-0898 (The IgniteUp WordPress plugin through 3.4.1 does not sanitise and
CVE-2022-0897 (A flaw was found in the libvirt nwfilter driver. The virNWFilterObjLis ...)
{DLA-3778-1}
- libvirt 8.2.0-1 (bug #1009075)
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
[stretch] - libvirt <postponed> (Minor issue)
NOTE: https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 (v8.2.0-rc1)
CVE-2022-0896 (Improper Neutralization of Special Elements Used in a Template Engine ...)
@@ -207886,13 +207864,11 @@ CVE-2021-46350 (There is an Assertion 'ecma_is_value_object (value)' failed at j
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4936
CVE-2021-46349 (There is an Assertion 'type == ECMA_OBJECT_TYPE_GENERAL || type == ECM ...)
- iotjs <removed> (bug #1004288)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4954
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4937
CVE-2021-46348 (There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' fa ...)
- iotjs <removed> (bug #1004288)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4961
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4941
@@ -207902,7 +207878,6 @@ CVE-2021-46347 (There is an Assertion 'ecma_object_check_class_name_is_object (o
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4938
CVE-2021-46346 (There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustme ...)
- iotjs <removed> (bug #1004288)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4955
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4939
@@ -207926,7 +207901,6 @@ CVE-2021-46341
RESERVED
CVE-2021-46340 (There is an Assertion 'context_p->stack_top_uint8 == SCAN_STACK_TRY_ST ...)
- iotjs <removed> (bug #1004288)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4964
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4924
@@ -207935,7 +207909,6 @@ CVE-2021-46339 (There is an Assertion 'lit_is_valid_cesu8_string (string_p, stri
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4935
CVE-2021-46338 (There is an Assertion 'ecma_is_lexical_environment (object_p)' failed ...)
- iotjs <removed> (bug #1004288)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4943
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4933
@@ -209404,37 +209377,31 @@ CVE-2022-22896
RESERVED
CVE-2022-22895 (Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ...)
- iotjs <removed> (bug #1004298)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4850
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4882
CVE-2022-22894 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...)
- iotjs <removed> (bug #1004298)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4890
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4899
CVE-2022-22893 (Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_lo ...)
- iotjs <removed> (bug #1004298)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4901
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4945
CVE-2022-22892 (There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_valu ...)
- iotjs <removed> (bug #1004298)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4872
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4878
CVE-2022-22891 (Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via e ...)
- iotjs <removed> (bug #1004298)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4871
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4885
CVE-2022-22890 (There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT && ...)
- iotjs <removed> (bug #1004298)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4849
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4847
@@ -209442,7 +209409,6 @@ CVE-2022-22889
RESERVED
CVE-2022-22888 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...)
- iotjs <removed> (bug #1004298)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4877
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4848
@@ -209830,7 +209796,6 @@ CVE-2021-46171 (Modex v2.11 was discovered to contain a NULL pointer dereference
NOT-FOR-US: Modex
CVE-2021-46170 (An issue was discovered in JerryScript commit a6ab5e9. There is an Use ...)
- iotjs <removed> (bug #1015219)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4917
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4942/commits/5e1fdd1d1e75105b43392b4bb3996099cdc50f3d
@@ -214190,7 +214155,7 @@ CVE-2021-4148 (A vulnerability was found in the Linux kernel's block_invalidatep
CVE-2021-4147 (A flaw was found in the libvirt libxl driver. A malicious guest could ...)
{DLA-3778-1}
- libvirt 7.10.0-2 (bug #1002535)
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
[stretch] - libvirt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2034195
NOTE: https://listman.redhat.com/archives/libvir-list/2021-November/msg00908.html
@@ -219238,7 +219203,7 @@ CVE-2021-3976 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF))
CVE-2021-3975 (A use-after-free flaw was found in libvirt. The qemuMonitorUnregister( ...)
{DLA-3778-1}
- libvirt 7.6.0-1
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
[stretch] - libvirt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024326
NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7 (v7.1.0-rc2)
@@ -220124,7 +220089,7 @@ CVE-2021-43785 (@joeattardi/emoji-button is a Vanilla JavaScript emoji picker co
CVE-2021-43784 (runc is a CLI tool for spawning and running containers on Linux accord ...)
{DLA-3735-1 DLA-2841-1}
- runc 1.0.3+ds1-1
- [bullseye] - runc <ignored> (Minor issue; not exploitable in 1.0.0)
+ [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u4
NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1
NOTE: Fixed by: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
@@ -222067,7 +222032,6 @@ CVE-2021-43454 (An Unquoted Service Path vulnerability exists in AnyTXT Searcher
NOT-FOR-US: AnyTXT Searcher for Windows
CVE-2021-43453 (A Heap-based Buffer Overflow vulnerability exists in JerryScript 2.4.0 ...)
- iotjs <removed> (bug #1015219)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4808
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4754
@@ -224604,7 +224568,6 @@ CVE-2021-42864
RESERVED
CVE-2021-42863 (A buffer overflow in ecma_builtin_typedarray_prototype_filter() in Jer ...)
- iotjs <removed> (bug #1015219)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4793
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4794
@@ -228260,7 +228223,6 @@ CVE-2021-41960
RESERVED
CVE-2021-41959 (JerryScript Git version 14ff5bf does not sufficiently track and releas ...)
- iotjs <removed> (bug #1015219)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4781
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4166
@@ -228843,7 +228805,6 @@ CVE-2021-41752 (Stack overflow vulnerability in Jerryscript before commit e1ce7d
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4779
CVE-2021-41751 (Buffer overflow vulnerability in file ecma-builtin-array-prototype.c:9 ...)
- iotjs <removed> (bug #1015219)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/pull/4797
NOTE: https://github.com/jerryscript-project/jerryscript/commit/4912e3b739f4d00e51a46d883b020d2208be28a2
@@ -229014,12 +228975,10 @@ CVE-2021-41684
RESERVED
CVE-2021-41683 (There is a stack-overflow at ecma-helpers.c:326 in ecma_get_lex_env_ty ...)
- iotjs <removed> (bug #1015219)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4745
CVE-2021-41682 (There is a heap-use-after-free at ecma-helpers-string.c:1940 in ecma_c ...)
- iotjs <removed> (bug #1015219)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4747
NOTE: https://github.com/jerryscript-project/jerryscript/commit/3ad76f932c8d2e3b9ba2d95e64848698ec7d7290
@@ -239680,7 +239639,7 @@ CVE-2021-37579 (The Dubbo Provider will check the incoming request and the corre
CVE-2021-3667 (An improper locking issue was found in the virStoragePoolLookupByTarge ...)
{DLA-3778-1}
- libvirt 7.6.0-1 (bug #991594)
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
[stretch] - libvirt <not-affected> (Introduced in 4.1)
NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87 (v7.6.0-rc1)
NOTE: Introduced in https://libvirt.org/git/?p=libvirt.git;a=commit;h=7aa0e8c0cb8a6293d0c6f7e3d29c13b96dec2129
@@ -243361,7 +243320,7 @@ CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in Un
CVE-2021-3631 (A flaw was found in libvirt while it generates SELinux MCS category pa ...)
{DLA-3778-1}
- libvirt 7.6.0-1 (bug #990709)
- [bullseye] - libvirt <no-dsa> (Minor issue)
+ [bullseye] - libvirt 7.0.0-3+deb11u3
[stretch] - libvirt <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libvirt/libvirt/-/issues/153
NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2 (v7.5.0)
@@ -268773,29 +268732,24 @@ CVE-2021-26200 (The user area for Library System 1.0 is vulnerable to SQL inject
NOT-FOR-US: Library System
CVE-2021-26199 (An issue was discovered in JerryScript 2.4.0. There is a heap-use-afte ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4056
CVE-2021-26198 (An issue was discovered in JerryScript 2.4.0. There is a SEVG in ecma_ ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4402
CVE-2021-26197 (An issue was discovered in JerryScript 2.4.0. There is a SEGV in main_ ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4403
CVE-2021-26196
RESERVED
CVE-2021-26195 (An issue was discovered in JerryScript 2.4.0. There is a heap-buffer-o ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4442
CVE-2021-26194 (An issue was discovered in JerryScript 2.4.0. There is a heap-use-afte ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4445
CVE-2021-26193
@@ -284468,14 +284422,14 @@ CVE-2021-20313 (A flaw was found in ImageMagick in versions before 7.0.11. A pot
{DLA-3429-1 DLA-2672-1}
[experimental] - imagemagick 8:6.9.12.20+dfsg1-1
- imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282)
- [bullseye] - imagemagick <no-dsa> (Minor issue)
+ [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u4
NOTE: https://github.com/ImageMagick/ImageMagick/commit/70aa86f5d5d8aa605a918ed51f7574f433a18482
NOTE: IM6: https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
CVE-2021-20312 (A flaw was found in ImageMagick in versions 7.0.11, where an integer o ...)
{DLA-3429-1 DLA-2672-1}
[experimental] - imagemagick 8:6.9.12.20+dfsg1-1
- imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282)
- [bullseye] - imagemagick <ignored> (Minor issue)
+ [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u4
NOTE: https://github.com/ImageMagick/ImageMagick/commit/70aa86f5d5d8aa605a918ed51f7574f433a18482
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
CVE-2021-20311 (A flaw was found in ImageMagick in versions before 7.0.11, where a div ...)
@@ -305263,7 +305217,6 @@ CVE-2020-24345 (JerryScript through 2.3.0 allows stack consumption via function
NOTE: Disputed JerryScript issue
CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const argumen ...)
- iotjs <removed> (bug #988213)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
NOTE: https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
@@ -305629,7 +305582,6 @@ CVE-2020-24188 (Cross-site scripting (XSS) vulnerability in the search functiona
NOT-FOR-US: United Planet Intrexx Professional
CVE-2020-24187 (An issue was discovered in ecma-helpers.c in jerryscript version 2.3.0 ...)
- iotjs <removed>
- [bullseye] - iotjs <ignored> (Minor issue)
[buster] - iotjs <ignored> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4076
CVE-2020-24186 (A Remote Code Execution vulnerability exists in the gVectors wpDiscuz ...)
@@ -307437,27 +307389,22 @@ CVE-2020-23324
RESERVED
CVE-2020-23323 (There is a heap-buffer-overflow at re-parser.c in re_parse_char_escape ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3871
CVE-2020-23322 (There is an Assertion in 'context_p->token.type == LEXER_RIGHT_BRACE | ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3869
CVE-2020-23321 (There is a heap-buffer-overflow at lit-strings.c:431 in lit_read_code_ ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3870
CVE-2020-23320 (There is an Assertion in 'context_p->next_scanner_info_p->type == SCAN ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3835
CVE-2020-23319 (There is an Assertion in '(flags >> CBC_STACK_ADJUST_SHIFT) >= CBC_STA ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3834
CVE-2020-23318
@@ -307470,44 +307417,36 @@ CVE-2020-23315 (There is an ASSERTION (pFuncBody->GetYieldRegister() == oldYield
NOT-FOR-US: Microsoft
CVE-2020-23314 (There is an Assertion 'block_found' failed at js-parser-statm.c:2003 p ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3825
CVE-2020-23313 (There is an Assertion 'scope_stack_p > context_p->scope_stack_p' faile ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3823
CVE-2020-23312 (There is an Assertion 'context.status_flags & PARSER_SCANNING_SUCCESSF ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3824
CVE-2020-23311 (There is an Assertion 'context_p->token.type == LEXER_RIGHT_BRACE || c ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3822
CVE-2020-23310 (There is an Assertion 'context_p->next_scanner_info_p->type == SCANNER ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3821
CVE-2020-23309 (There is an Assertion 'context_p->stack_depth == context_p->context_st ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3820
CVE-2020-23308 (There is an Assertion 'context_p->stack_top_uint8 == LEXER_EXPRESSION_ ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3819
CVE-2020-23307
RESERVED
CVE-2020-23306 (There is a stack-overflow at ecma-regexp-object.c:535 in ecma_regexp_m ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3753
CVE-2020-23305
@@ -307516,12 +307455,10 @@ CVE-2020-23304
RESERVED
CVE-2020-23303 (There is a heap-buffer-overflow at jmem-poolman.c:165 in jmem_pools_co ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3749
CVE-2020-23302 (There is a heap-use-after-free at ecma-helpers-string.c:772 in ecma_re ...)
- iotjs <removed> (bug #989991)
- [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3748
CVE-2020-23301
@@ -357013,7 +356950,7 @@ CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.c
CVE-2023-27561 (runc through 1.1.4 has Incorrect Access Control leading to Escalation ...)
{DLA-3369-1}
- runc 1.1.5+ds1-1 (bug #1033520)
- [bullseye] - runc <no-dsa> (Minor issue)
+ [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u5
NOTE: https://github.com/opencontainers/runc/issues/3751
NOTE: https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334
NOTE: https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9
=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -1,103 +1,5 @@
-CVE-2024-31755
- [bullseye] - cjson 1.7.14-1+deb11u1
-CVE-2023-50471
- [bullseye] - cjson 1.7.14-1+deb11u1
-CVE-2023-50472
- [bullseye] - cjson 1.7.14-1+deb11u1
-CVE-2023-52890
- [bullseye] - ntfs-3g 1:2017.3.23AR.3-4+deb11u4
-CVE-2023-40305
- [bullseye] - indent 2.2.12-1+deb11u1
-CVE-2024-0911
- [bullseye] - indent 2.2.12-1+deb11u1
CVE-2021-3654
[bullseye] - nova 2:22.2.2-1+deb11u1
-CVE-2022-27240
- [bullseye] - glewlwyd 2.5.2-2+deb11u3
-CVE-2022-29967
- [bullseye] - glewlwyd 2.5.2-2+deb11u3
-CVE-2023-49208
- [bullseye] - glewlwyd 2.5.2-2+deb11u3
-CVE-2023-40546
- [bullseye] - shim 15.8-1~deb11u1
-CVE-2023-40547
- [bullseye] - shim 15.8-1~deb11u1
-CVE-2023-40548
- [bullseye] - shim 15.8-1~deb11u1
-CVE-2023-40549
- [bullseye] - shim 15.8-1~deb11u1
-CVE-2023-40550
- [bullseye] - shim 15.8-1~deb11u1
-CVE-2023-40551
- [bullseye] - shim 15.8-1~deb11u1
-CVE-2021-43784
- [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u4
-CVE-2023-27561
- [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u5
-CVE-2023-25809
- [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u4
-CVE-2023-28642
- [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u5
-CVE-2024-35235
- [bullseye] - cups 2.3.3op2-3+deb11u7
-CVE-2021-20312
- [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u4
-CVE-2021-20313
- [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u4
-CVE-2024-6655
- [bullseye] - gtk+2.0 2.24.33-2+deb11u1
-CVE-2024-6655
- [bullseye] - gtk+3.0 3.24.24-4+deb11u4
-CVE-2024-31497
- [bullseye] - putty 0.74-1+deb11u2
-CVE-2021-3631
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2021-3667
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2021-3975
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2021-4147
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2022-0897
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2024-1441
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2024-2494
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2024-2496
- [bullseye] - libvirt 7.0.0-3+deb11u3
-CVE-2022-39369
- [bullseye] - php-cas 1.3.8-1+deb11u1
-CVE-2022-36179
- [bullseye] - fusiondirectory 1.3-4+deb11u1
-CVE-2022-36180
- [bullseye] - fusiondirectory 1.3-4+deb11u1
-CVE-2024-29421
- [bullseye] - xmedcon 0.16.3+dfsg-1+deb11u1
-CVE-2024-40725
- [bullseye] - apache2 2.4.62-1~deb11u1
-CVE-2023-31315
- [bullseye] - amd64-microcode 3.20240710.2~deb11u1
-CVE-2024-24853
- [bullseye] - intel-microcode 3.20240813.1~deb11u1
-CVE-2024-25939
- [bullseye] - intel-microcode 3.20240813.1~deb11u1
-CVE-2024-24980
- [bullseye] - intel-microcode 3.20240813.1~deb11u1
-CVE-2023-42667
- [bullseye] - intel-microcode 3.20240813.1~deb11u1
-CVE-2024-43370
- [bullseye] - gettext.js 0.7.0-2+deb11u1
-CVE-2024-7264
- [bullseye] - curl 7.74.0-1.3+deb11u13
-CVE-2024-7008
- [bullseye] - calibre 5.12.0+dfsg-1+deb11u2
-CVE-2024-7009
- [bullseye] - calibre 5.12.0+dfsg-1+deb11u2
-CVE-2023-31356
- [bullseye] - amd64-microcode 3.20240820.1~deb11u1
-CVE-2023-20584
- [bullseye] - amd64-microcode 3.20240820.1~deb11u1
CVE-2021-24119
[bullseye] - mbedtls 2.16.12-0+deb11u1
CVE-2021-44732
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8675d272e61b147d91d8287d5fc4d8e0be7d1ba8...b78f33ab8e25ff7c3b7862cfcc306632cce872d5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8675d272e61b147d91d8287d5fc4d8e0be7d1ba8...b78f33ab8e25ff7c3b7862cfcc306632cce872d5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240831/52c36ebf/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list